Privacy Policy
Last updated: March 20, 2026
Data controller
Blip is operated by bmcreations. For questions about this policy or your data, contact privacy@useblip.email.
What we collect
Blip collects the minimum data needed to operate the service:
- Email content: Emails received by your disposable inboxes, including headers, body, and attachments (Pro tier only). Email data is encrypted at rest.
- Account data: If you sign in, we store an internal identifier and your email address for authentication. We do not store passwords.
- Payment data: Payments are processed by Stripe. We store only your Stripe customer ID, not your card details.
- Session data: Anonymous sessions are identified by a random token. We store a hashed IP address to enforce rate limits and prevent abuse.
- Usage data: Server logs may temporarily contain IP addresses, request paths, and timestamps for debugging and abuse prevention.
Lawful basis for processing
Under GDPR, we process your data on the following bases:
- Contract: To provide the service you signed up for (inbox creation, email delivery, paid features).
- Legitimate interest: To prevent abuse, enforce rate limits, and maintain service security.
- Legal obligation: To comply with applicable laws and respond to lawful requests.
How we use your data
- To deliver email to your disposable inboxes
- To forward emails when you configure forwarding rules
- To send replies on your behalf (Pro tier)
- To process payments and manage your subscription
- To enforce rate limits and prevent abuse
- To send transactional emails (sign-in links)
We do not sell your data. We do not use your data for advertising. We do not profile you.
Data retention
| Data type | Retention |
|---|---|
| Emails (Free tier) | 24 hours |
| Emails (Pro tier) | 30 days |
| Emails (Agent tier) | 24 hours |
| Inboxes (Free tier) | 24 hours |
| Inboxes (Pro tier) | 90 days |
| Anonymous sessions | 24 hours |
| Account data | Until you request deletion |
| Payment records | As required by law |
| Server logs | 7 days |
When you delete an inbox, all associated emails, attachments, webhooks, and forwarding rules are permanently removed.
Third-party services (sub-processors)
| Service | Purpose | Data location |
|---|---|---|
| Cloudflare | Email routing, CDN, DNS | Global edge |
| Turso (libSQL) | Database | US East |
| Railway | Application hosting | US East |
| Stripe | Payment processing | US / EU |
| Resend | Outbound email (replies, forwarding, sign-in links) | US |
International data transfers
Your data may be transferred to and processed in the United States, where our infrastructure is hosted. These transfers rely on Standard Contractual Clauses (SCCs) or equivalent safeguards provided by our sub-processors. Cloudflare processes data at the nearest edge location, which may include servers in the EU.
Your rights
Under GDPR and similar privacy laws, you have the right to:
- Access the personal data we hold about you
- Rectify inaccurate data
- Erase your data ("right to be forgotten")
- Restrict processing of your data
- Port your data to another service
- Object to processing based on legitimate interest
You can delete your inboxes and their contents at any time from the app. To exercise any of these rights or delete your account entirely, contact privacy@useblip.email.
If you believe we are processing your data unlawfully, you have the right to lodge a complaint with your local data protection authority.
Cookies
Blip does not use tracking cookies or analytics. The only client-side storage used is a session token in your browser's local storage, which is essential for the service to function.
Children
Blip is not intended for use by anyone under the age of 16. We do not knowingly collect data from children.
Changes
We may update this policy. Material changes will be communicated via the app. Continued use after changes constitutes acceptance.
Contact
For privacy inquiries: privacy@useblip.email
For general support: support@useblip.email